sourcetype="typea" "Change in Working IP" | join Equipment_ID overwrite=false [search sourcetype="typeb" ErrorType = "POWERDOWN" | top Equipment_ID | fields + Equipment_ID _time | rename _time as toggletime] | table _time toggletime Equipment_ID
here is my searchstring whereby my subsearch retrieves 'powerdown' error types from typeb sourcetype. returns it to typea which has events that changed IP addr. this is to check if the IP change is due to a powerdown(aka reboot).
however, im unsure if there is a constraint on the time window from my searchstring. i need some advice if this constraint is possible
timewindow: typeb's event must occur first before typea's events.
EDIT:
ive attempted to use join and it works. however, is there a way to constraint this Before events to within a specified timewindow instead now (e.g. A happens 5 min before B, reject late instances)?
and im having trouble converting toggletime's timestring("1339519632.644") back to actual time. using ctime() gives me a totally different value from its original 😞
There is no time contstraint on the subsearch unless you set a time constraint. If you want to have the subsearch events within 5 minutes of the outer search events, try this
sourcetype="typea" "Change in Working IP" earliest=-65m |
eval typea_time = _time |
join Equipment_ID overwrite=false usetime=true earlier=false max=0
[search sourcetype="typeb" ErrorType = "POWERDOWN" earliest=-60m |
eval toggletime = _time
fields + Equipment_ID toggletime ] |
where toggletime <= typea_time + 300 and toggletime > typea_time |
fieldformat typea_time = strftime(typea_time,"%x %X") |
fieldformat toggletime = strftime(toggeltime,"%x %X") |
table typea_time toggletime Equipment_ID
One of the problems is that you are using the top command - what is the timestamp of the results of the top command?
The search above does a number of things to make the search more efficient and impose the time constraints that you want.
There is no time contstraint on the subsearch unless you set a time constraint. If you want to have the subsearch events within 5 minutes of the outer search events, try this
sourcetype="typea" "Change in Working IP" earliest=-65m |
eval typea_time = _time |
join Equipment_ID overwrite=false usetime=true earlier=false max=0
[search sourcetype="typeb" ErrorType = "POWERDOWN" earliest=-60m |
eval toggletime = _time
fields + Equipment_ID toggletime ] |
where toggletime <= typea_time + 300 and toggletime > typea_time |
fieldformat typea_time = strftime(typea_time,"%x %X") |
fieldformat toggletime = strftime(toggeltime,"%x %X") |
table typea_time toggletime Equipment_ID
One of the problems is that you are using the top command - what is the timestamp of the results of the top command?
The search above does a number of things to make the search more efficient and impose the time constraints that you want.
the top command is just limiting the number of equipment ID been sent to top 10. i've removed it.
thanks alot regarding the strftime!
i think its showing what i want now 🙂 gonna run it thru a couple more test data. Thanks!